Terms of Service

You may use Bao only if you are at least 18 years old, have full legal capacity to form a binding contract, and are not barred from using the Service under applicable law. You may not use Bao if you are a competitor of Dragonfly developing a comparable product, except with our prior written consent.

If you are using Bao on behalf of an organization, references to "Customer" in these Terms are to that organization, and you must have authority to bind it. If you do not, do not use Bao.

You must register an account with accurate information and keep that information current. You are responsible for safeguarding your credentials, including any OAuth-issued tokens, and for all activity that occurs under your account.

For Business and Enterprise tiers, we support single sign-on via SAML/OIDC. You are responsible for provisioning and de-provisioning users, configuring role-based access control (RBAC), and reviewing your audit logs.

You agree to notify us at security@getbao.app immediately upon learning of any unauthorized access, credential compromise, or security incident affecting your use of the Service.

Bao reads metadata from the systems you connect (GitHub, Vercel, Supabase, Stripe, Sentry, Cloudflare, Render, AWS, and any of the 2,000+ apps reachable via Pipedream Connect), runs production-readiness scans, generates a readiness score, surfaces signals and severities, and proposes auto-fix remediations using AI models from Anthropic, OpenAI, and Google Vertex AI. Source code is processed in memory and is not retained.

Read-only by default. By default, Bao requests read-only OAuth scopes from each integration. Where write scopes exist, Bao will not execute a write without your explicit, in-app approval (an "Approved Write"). You are responsible for reviewing each proposal and Approved Write.

AI disclaimer. Auto-fix proposals and explanations are AI-generated suggestions. They are not guaranteed to be correct, complete, secure, performant, or appropriate for your environment. You must review every proposal before approving it. Approving a proposal is your decision; Bao executes only what you approve.

Service tiers. Bao offers Free ($0), Founder ($39/mo), Team ($59/active developer/mo), Business ($99/active developer/mo), and Enterprise (custom, annual prepay) tiers, with feature differences described on getbao.app/pricing. We may change tier features with reasonable notice; if a change materially reduces a feature in your active tier, you may cancel and receive a prorated refund of the unused portion of your prepaid term.

You represent and warrant, on a continuing basis, that:

• Authority. You have authority and all necessary rights to grant Bao the OAuth scopes and access it requests, and to permit Bao to scan and propose changes to the connected systems.
• Ownership. You either own or have a valid license to the repositories, services, accounts, and data you connect to Bao. You will not connect third-party systems for which you lack authorization.
• Platform ToS. Your use of Bao does not violate the terms of service of any platform you connect (including GitHub, AWS, Vercel, Supabase, Stripe, Cloudflare, Render, Sentry, and platforms reachable via Pipedream).
• No regulated data. You will not upload to Bao or cause Bao to process protected health information (PHI) governed by HIPAA, payment card data subject to PCI-DSS beyond what flows to Stripe in the ordinary course, or special-category data under GDPR. HIPAA is out of scope for Bao.
• Compliance. You will use Bao in compliance with all applicable laws, including export-control, sanctions, anti-bribery, data-protection, and privacy laws.

You are solely responsible for the consequences of any Approved Write, including any production outage, data loss, security exposure, or third-party claim resulting from a change you approved. We strongly recommend approving writes only after review by an authorized engineer and only against environments where you have an effective backup and rollback plan.

You will not, and will not permit anyone to:

• Reverse engineer or copy. Reverse engineer, decompile, or attempt to extract the source code of Bao, except to the limited extent applicable law permits despite this restriction.
• Resell or sublicense. Resell, sublicense, or otherwise commercially exploit the Service except as expressly permitted in these Terms.
• Abuse infrastructure. Probe, scan, denial-of-service, load-test, or otherwise attempt to disrupt the Service or any underlying infrastructure without our prior written authorization. Authorized vulnerability research is welcome — email security@getbao.app first.
• Circumvent limits. Circumvent rate limits, seat counts, or feature gates, including by creating multiple accounts to bypass tier limits.
• Misuse AI features. Use auto-fix proposals or other AI features to generate malicious code, malware, illegal content, or content that violates third-party rights.
• Train competing models. Use Bao's outputs to train, fine-tune, or evaluate a model that competes with Bao.
• Violate law. Use the Service for any unlawful, fraudulent, harmful, or deceptive purpose.

Subscription. Paid plans are billed monthly or annually in advance via Stripe in U.S. dollars (USD), unless otherwise stated. Founder is billed at $39 per month, flat. Team is billed at $59 per active developer per month. Business is billed at $99 per active developer per month. Enterprise is billed annually under an Order Form.

Active developer. An "active developer" is a User who triggers a scan, generates an auto-fix proposal, or approves a write within a billing period. Viewer seats (read-only access) are included on each tier as described on getbao.app/pricing and do not count as active developers.

Auto-renewal. Subscriptions auto-renew at the end of each billing period at the then-current price. You may cancel auto-renewal at any time in your account settings; cancellation takes effect at the end of the current period and you retain access through that period.

Refunds. Fees are non-refundable except (a) where required by law, (b) where we materially reduce a paid feature mid-term (Section 3), or (c) at our sole discretion as a goodwill gesture. We do not refund partial-month usage on monthly plans.

Late payment and suspension. We may suspend the Service for accounts more than 14 days past due, after providing a written reminder. Continued non-payment may result in termination under Section 13.

Taxes. Fees exclude all applicable taxes (sales, use, VAT, GST, withholding). You are responsible for paying all taxes other than taxes on Dragonfly's net income. If we are required to collect tax, we will add it to the invoice.

Price changes. We may change subscription prices on at least 30 days' notice. Price changes take effect at the start of the next renewal term and do not affect a current prepaid period.

Dragonfly's rights. Dragonfly and its licensors retain all right, title, and interest in and to the Service, including the software, models, scoring methodology, signal definitions, documentation, and the Bao trademarks and brand assets. No rights are granted to you except as expressly set out in these Terms.

Your rights. Subject to these Terms and timely payment of fees, Dragonfly grants you a non-exclusive, non-transferable, worldwide right to access and use the Service during the subscription term for your internal business use.

Customer Data. As between the parties, you own and retain all rights to your repositories, scan inputs, scan results that contain your code-derived information, and any other data you submit to or generate through the Service ("Customer Data"). You grant Dragonfly a worldwide, non-exclusive, royalty-free license to host, process, transmit, and display Customer Data solely to operate, maintain, secure, and improve the Service for you, and to comply with law.

Aggregated, de-identified data. Dragonfly may generate aggregated, de-identified statistics and signal patterns from Customer Data — never including the contents of source code or personally identifying information — for benchmarking, product development, and security research. Aggregated data does not identify you or your users.

AI inputs and outputs. Inputs you submit (such as repository metadata) are sent to AI sub-processors as described in our Privacy Policy. Outputs generated for you (such as auto-fix proposals) are owned by you, but Dragonfly retains ownership of the underlying models, prompts, and tooling that produce them. Dragonfly does not use Customer Data to train base models, and configures sub-processors to disable training on Customer Data where the option is offered. Enterprise Customers may request a written zero-retention configuration via DPA.

Feedback. If you provide ideas, suggestions, or feedback to Dragonfly, you grant Dragonfly a perpetual, irrevocable, royalty-free, worldwide license to use that feedback without obligation, provided we do not identify you as the source without your consent.

Each party may receive non-public information of the other ("Confidential Information"), including business plans, technical information, and Customer Data. The receiving party will use Confidential Information only to perform under these Terms, will protect it with at least the same care it uses for its own confidential information (and no less than reasonable care), and will not disclose it to any third party except to employees, contractors, and sub-processors bound by similar obligations and on a need-to-know basis.

Exclusions. Confidential Information does not include information that is public through no breach of these Terms, was known to the receiving party before disclosure, was independently developed without reference to the disclosing party's information, or was rightfully received from a third party.

Mutual warranties. Each party warrants that it has the authority to enter into these Terms. Dragonfly warrants that it will provide the Service in a professional manner consistent with industry standards.

DISCLAIMER. EXCEPT AS EXPRESSLY SET FORTH IN THESE TERMS, THE SERVICE IS PROVIDED "AS IS" AND "AS AVAILABLE." TO THE MAXIMUM EXTENT PERMITTED BY LAW, DRAGONFLY DISCLAIMS ALL OTHER WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, AND ANY WARRANTY ARISING OUT OF COURSE OF DEALING OR USAGE OF TRADE. DRAGONFLY DOES NOT WARRANT THAT THE SERVICE WILL BE UNINTERRUPTED OR ERROR-FREE, OR THAT AUTO-FIX PROPOSALS WILL BE CORRECT, COMPLETE, OR APPROPRIATE FOR YOUR ENVIRONMENT.

TO THE MAXIMUM EXTENT PERMITTED BY LAW, NEITHER PARTY WILL BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, EXEMPLARY, OR PUNITIVE DAMAGES, OR FOR ANY LOSS OF PROFITS, REVENUE, DATA, GOODWILL, OR BUSINESS OPPORTUNITY, ARISING OUT OF OR RELATING TO THESE TERMS OR THE SERVICE, REGARDLESS OF THE THEORY OF LIABILITY AND EVEN IF ADVISED OF THE POSSIBILITY.

EXCEPT FOR (a) A PARTY'S INDEMNIFICATION OBLIGATIONS, (b) BREACH OF CONFIDENTIALITY, (c) YOUR PAYMENT OBLIGATIONS, OR (d) YOUR INFRINGEMENT OF DRAGONFLY'S INTELLECTUAL PROPERTY, EACH PARTY'S TOTAL LIABILITY ARISING OUT OF OR RELATING TO THESE TERMS WILL NOT EXCEED THE FEES YOU PAID FOR THE SERVICE IN THE TWELVE (12) MONTHS PRECEDING THE EVENT GIVING RISE TO LIABILITY.

Some jurisdictions do not allow certain disclaimers or limitations, so portions of this section may not apply to you. Nothing in these Terms limits liability that cannot be limited by law (for example, fraud or gross negligence).

By Dragonfly. Dragonfly will defend you against any third-party claim alleging that the Service, when used as permitted under these Terms, infringes a U.S. patent, copyright, trademark, or trade secret, and will pay damages and costs finally awarded by a court of competent jurisdiction or agreed in settlement, provided you (a) promptly notify us of the claim, (b) give us sole control of the defense and settlement, and (c) cooperate reasonably. If the Service is held to infringe, we may at our option (i) modify it to be non-infringing, (ii) procure rights for you to continue using it, or (iii) terminate the Service and refund prepaid, unused fees. This Section states our entire liability and your sole remedy for IP infringement.

By you. You will defend Dragonfly against any third-party claim arising from (a) Customer Data, (b) your violation of these Terms, (c) your violation of any law, or (d) your infringement of any third-party right; and pay damages and costs finally awarded or agreed in settlement, subject to the same notice/control/cooperation conditions above.

We may modify the Service from time to time, including by adding, removing, or changing features. We will provide reasonable advance notice of changes that materially reduce a paid feature in your active tier; your remedy is set out in Section 3.

We may modify these Terms by posting the updated version at getbao.app/terms and, for material changes, by emailing the address on your account at least 14 days before the change takes effect. Your continued use of the Service after the effective date constitutes acceptance. If you do not agree, you must stop using the Service.

Term. These Terms start when you first accept them and continue while you use the Service.

Termination for convenience. You may cancel your subscription at any time in your account settings or by emailing hello@getbao.app. Cancellation takes effect at the end of the current paid period.

Termination for cause. Either party may terminate immediately on written notice if the other materially breaches these Terms and fails to cure within 30 days, or if the other party becomes insolvent or files for bankruptcy.

Suspension. We may suspend access immediately, with notice where reasonable, if (a) you breach Sections 4 or 5, (b) your use creates a security risk to the Service or others, (c) we are legally required to suspend, or (d) your account is more than 14 days past due.

Effects of termination. Upon termination, your right to use the Service ends. We will return or delete Customer Data in accordance with our Privacy Policy and DPA. Sections 7, 8, 9, 10, 11, 14, and 15 survive termination, along with any other provision that by its nature should survive.

Governing law. These Terms are governed by the laws of the State of Florida, USA, without regard to its conflict-of-laws principles, except to the extent that the laws of Hong Kong SAR are mandatorily applicable to a Customer based in Hong Kong.

Forum. Subject to the optional arbitration below, the state and federal courts located in Miami-Dade County, Florida, will have exclusive jurisdiction over any dispute arising out of or relating to these Terms, and each party consents to personal jurisdiction and venue there. Hong Kong-based Customers may, where required by Hong Kong law, alternatively bring claims in the courts of Hong Kong SAR, and Dragonfly consents to jurisdiction there for that purpose.

Informal resolution. Before filing a claim, the parties will attempt in good faith to resolve the dispute by emailing legal@getbao.app and conferring for at least 30 days.

Optional arbitration. Either party may elect to resolve any dispute (other than equitable relief, IP enforcement, and small-claims matters) by confidential binding arbitration administered by the American Arbitration Association under its Commercial Arbitration Rules, seated in Miami-Dade County, Florida, and conducted in English. The arbitration award is final and may be entered in any court of competent jurisdiction. Each party waives any right to a jury trial.

Class waiver. Disputes will be resolved on an individual basis only; no class, representative, or consolidated proceedings are permitted, except where prohibited by law.

UN CISG and Limitation. The U.N. Convention on Contracts for the International Sale of Goods does not apply. Any claim must be brought within one (1) year of the act or omission giving rise to the claim, except where a longer period is required by mandatory law.

Entire agreement. These Terms (together with any Order Form, the Privacy Policy, and any DPA) are the entire agreement between the parties concerning the Service and supersede all prior agreements on that subject.

Order of precedence. In the event of conflict: (1) executed Order Form, (2) DPA, (3) these Terms, (4) Privacy Policy.

Assignment. You may not assign these Terms without our prior written consent, except to a successor in connection with a merger, acquisition, or sale of substantially all of your assets, on notice. Dragonfly may assign these Terms in connection with a corporate transaction. Any other purported assignment is void.

Force majeure. Neither party is liable for failure to perform due to events beyond its reasonable control (natural disasters, war, terrorism, civil unrest, governmental action, internet or utility outages affecting third-party providers).

Notices. Notices to Dragonfly: legal@getbao.app. Notices to Customer: the email address on the account. Notices are effective when sent if no bounce is received within 24 hours.

Severability. If any provision is held unenforceable, the remainder of these Terms remains in effect, and the parties will replace the unenforceable provision with an enforceable one that most closely reflects the original intent.

No waiver. Failure to enforce a provision is not a waiver. No waiver is effective unless in writing.

Independent contractors. The parties are independent contractors. Nothing creates a partnership, agency, or employment relationship.

Export. You will comply with all applicable U.S., Hong Kong, and other export-control and sanctions laws. You represent that you and your end users are not on any U.S. denied-party list and are not located in a country subject to U.S. embargo.

Government users. The Service is "commercial computer software" under FAR 2.101 and DFARS 12.212. U.S. Government users acquire only the rights set forth in these Terms.

Language. The English version of these Terms governs in case of conflict with any translation. We provide a Traditional Chinese (zh-HK) translation for convenience.

Questions about these Terms? Contact us:

• Legal. legal@getbao.app
• General. hello@getbao.app
• Privacy. privacy@getbao.app
• Security. security@getbao.app
• Postal — Hong Kong. Dragonfly Interactive (HK) Limited, Hong Kong SAR. (Full registered office available on request.)
• Postal — United States. Dragonfly Interactive (HK) Limited, c/o Florida operations. (Full address available on request.)